copyright | disclaimer | privacy | contact  
Australia's Leading Computer Emergency Response Team
 
Search this site

 
On this site

 > HOME
 > About AusCERT
 > Membership
 > Contact Us
 > PKI Services
 > Publications
 > Sec. Bulletins
 > Conferences
 > News & Media
 > Services
 > Web Log
 > Site Map
 > Site Help
 > Member login





 

ESB-2011.0476 - [NetBSD] dhclient: Execute arbitrary code/commands - Remote/unauthenticated

Date: 27 April 2011
References: ESB-2011.0383.2  

Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2011.0476
         ISC dhclient hostname field shell metacharacter injection
                               27 April 2011

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:          dhclient
Publisher:        NetBSD
Operating System: NetBSD
Impact/Access:    Execute Arbitrary Code/Commands -- Remote/Unauthenticated
Resolution:       Patch/Upgrade
CVE Names:        CVE-2011-0997  

Reference:        ESB-2011.0383.2

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


		 NetBSD Security Advisory 2011-005
		 =================================

Topic:		ISC dhclient does not strip shell meta-characters in
		environment variables passed to scripts.

Version:	NetBSD-current:		affected
		NetBSD 5.1:		affected
		NetBSD 5.0:		affected
		NetBSD 4.0.*:		affected
		NetBSD 4.0:		affected
		pkgsrc:			isc-dhclient4 package prior to
					4.2.1-P1

Severity:	Arbitrary Script Execution

Fixed:		NetBSD-current:		April 6th, 2011
		NetBSD-5-0 branch:	April 7th, 2011
		NetBSD-5 branch:	April 7th, 2011
		NetBSD-4-0 branch:	April 7th, 2011
		NetBSD-4 branch:	April 7th, 2011
		pkgsrc 2011Q1:		April 11th, 2011


Abstract
========

dhclient doesn't strip or escape certain shell meta-characters in
dhcpd responses, allowing a rogue server or party with with escalated
privileges on the server to cause remote code execution on the client. 

This vulnerability has been assigned CVE-2011-0997 and CERT
Vulnerability Note VU#107886.


Technical Details
=================

ISC dhclient did not strip or escape certain shell meta-characters
in responses from the dhcp server (like hostname) before passing
the responses on to dhclient-script. This may result in execution
of exploit code on the client. 

For more details, please see CVE-2011-0997.


Solutions and Workarounds
=========================

dhclient(1) exports many variables to the environment, some of
which are strings provided by the dhcp server and were not being sanity
checked for shell metacharacters. Although in the current implementation
of /sbin/dhclient-script "eval" is only used in ifconfig(8) commands
with arguments from the environment that cannot be set to strings
by the dhcp server ($interface, $medium are set by the client;
$new_ip_address, $new_netmask_arg, $new_broadcast_arg, $alias_ip_address,
$old_ip_address are IP addresses), one should either patch dhclient
to sanitize all variables or add the following line to
/sbin/dhclient-script at the beginning of the set_hostname()
function:

new_host_name="$(echo "${new_host_name}" | sed -e 's/[^a-zA-Z0-9-]*//g')"

The reason to do this, is that unless the hostname is sanitized,
a hostname with shell metacharacters can be set on the system, and
other scripts might break that use the compromised hostname.

In environments where filters/acls can be put into place to limit
clients to accessing only legitimate dhcp servers, this will protect
clients from rogue dhcp servers deliberately trying to exploit this
bug. However, this will not protect from compromised servers.

Further workarounds: disable dhclient(8) from the base OS and use
the fixed isc-dhclient4 package from pkgsrc.

The following instructions describe how to upgrade your dhclient
binaries by updating your source tree and rebuilding and
installing a new version of dhclient.

  CVS branch    file                                    revision
  ------------- ----------------                        --------
  HEAD          src/dist/dhcp/client/dhclient.c		1.21
  netbsd-5-0    src/dist/dhcp/client/dhclient.c		1.19.12.2
  netbsd-5-1    src/dist/dhcp/client/dhclient.c		1.19.8.1.2.1
  netbsd-5      src/dist/dhcp/client/dhclient.c		1.19.8.2
  netbsd-4-0    src/dist/dhcp/client/dhclient.c		1.18.12.2
  netbsd-4      src/dist/dhcp/client/dhclient.c		1.18.2.2

The following instructions briefly summarize how to update and
recompile dhclient. In these instructions, replace:

  VERSION  with the fixed version from the appropriate CVS branch
           (from the above table)
  FILE     with the name of the file from the above table


To update from CVS, re-build, and re-install dhclient:
	# cd src
	# cvs update -d -P -r VERSION FILE
	# cd usr.sbin/dhcp
	# make USETOOLS=no cleandir dependall
	# cd client
	# make USETOOLS=no install


Thanks To
=========

Sebastian Krahmer and Marius Tomaschewski, SuSE Security Team, for
discovering and reporting the software flaw.


Revision History
================

	2011-04-26	Initial release


More Information
================

Advisories may be updated as new information becomes available.
The most recent version of this advisory (PGP signed) can be found at 
  http://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2011-005.txt.asc

Information about NetBSD and NetBSD security can be found at
http://www.NetBSD.org/ and http://www.NetBSD.org/Security/.


Copyright 2011, The NetBSD Foundation, Inc.  All Rights Reserved.
Redistribution permitted only in full, unmodified form.

$NetBSD: NetBSD-SA2011-005.txt,v 1.2 2011/04/26 16:56:52 tonnerre Exp $
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (NetBSD)

iQIcBAEBAgAGBQJNtvleAAoJEAZJc6xMSnBuqUkP/iuLylj+A2uZYvvLGPiGrnNa
dnNyT4dcx54Hc1Uq3Mq8rtPwNJd+zf5eEH1PRxjFUstR3wn8/KORIZ+ZZPY/ftMJ
/yLhubzjDuimkS+kyIxLLkQXXmgaLHjj7FvX5BceDghWksFsX/A/HzMDHBHaxZ8t
nUXzbAdkqBXXmu9bzd+N4TJbQadk8qAHmg9WuJFmGzbxP4Qu46wl06eMKGW8LU8n
Ert/UN+MSV+ELOgNQWHf7GeRMjDi1bd/PZK90rbpMyNkTRvHcIIl1Zp0Bo0WDLAH
uNmW9G0PnoRrpf9YalBObs1R2jQV+1s2cWiZGyvUk+SJrhtDdYtljU71uCCA7xE5
vhIZjcMrGyuNhBVjR2v8ifcl6f57M3LyIaXsvFKRT04Exe6S6yjNIDWR3SKmweAx
3Up3nqjlIx1cBaVZP7RGFUw6W+tPHFx0xez+HclXVvWw0fOo12Lz1iacg6REDXP1
2LjGpEcyOjMceUf1A8WX8bLmkP4d/FUv/P+TLmEEBThXsEBw/CU+SJcKkUzIjwPI
CXe7GXj5NwrEjOpGskglSi13y3q7e///aql/B9bczKjok5kkOvzK6q/1qCBnsdHc
JwCD2HlCFzAc2NDRdkxkAtSP4nsw7rly33C3NiY14JKDXiGBWDAkyVCOisM/IL/R
4Ir8/fBQMfJSHl9xuULA
=7pTA
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iD8DBQFNt4Ak/iFOrG6YcBERAlLzAJ9+Z4hwnNAL8YQpmej7+o2cyf3NegCeMksz
XhFl6+wYRbjPGLWoHSn1Zts=
=3cCC
-----END PGP SIGNATURE-----